Insights from industry experts

HIPAA Enforcement: Five Suggestions

A recent report from the HHS Office of the Inspector General would have us believe that one of the reasons OCR is not more effective in its enforcement is because the office hasn't yet initiated random HIPAA compliance audits, as called for by the HITECH Act. But this ignores the ineffectiveness of earlier HIPAA audits conducted by the Centers for Medicare & Medicaid Services a few years back. CMS conducted only a few randomly targeted audits. So healthcare organizations perceived there was very little chance they'd get audited.

Before addressing how OCR could be more effective in its HIPAA enforcement, I'd like to first recognize what the office has already accomplished.

OCR could find a way to be more transparent with respect to the actions it takes.

Since taking over enforcement of the HIPAA Security Rule (the office already was enforcing the HIPAA Privacy Rule) from CMS in June of 2009, OCR also had to develop many of the rules to carry out the HITECH Act mandates. Despite this, OCR increased the number of complaints that resulted in corrective action from an anemic 10 percent to just over 50 percent in their first year of responsibility, officials of the office have said in recent presentations. That means that a covered entity now has a 50/50 chance of receiving a corrective action judgment against them after a complaint is filed.

In addition, OCR investigates all the health information breaches affecting 500 or more individuals reported under the HITECH Act breach notification rule. Almost 280 of these major breaches have been reported since September 2009. OCR also has received reports of about 31,000 smaller breaches as well, an OCR official acknowledged at a recent meeting.

Some investigations of major breaches have resulted in informal agreements for corrective action that have not been publicized, OCR officials confirm. Some of these involve OCR oversight until corrective action is completed. And OCR recently has levied financial penalties in at least three HIPAA cases, including a HIPAA privacy violation case involving Cignet Health that resulted a $4.3 million civil monetary penalty. That case demonstrated OCR's willingness to address willful neglect.

Long Way to Go

Still, the question remains: Have these efforts been effective? The nearly 280 major breaches reported to OCR so far, along with the approximately 31,000 smaller breaches that have been reported, clearly demonstrate there is still a long way to go. So it's difficult to make the argument that enforcement so far has had the effect lawmakers were shooting for when they crafted HIPAA.

I believe there are two reasons for this. The first is that OCR's actions have suffered from obscurity. Understandably, corrective action plans are not generally publicized, so their effectiveness as an influencer is largely muted. Unfortunately, accountability without visibility is rarely effective.

Second, OCR's recent announcements of only three HIPAA violation cases that have resulted in financial penalties, given all of the complaints and breaches reported, seems inadequate. Again, accountability without teeth suffers.

So what could OCR do to motivate change in the industry?

HIPAA Enforcement Steps

For starters, OCR could find a way to be more transparent with respect to the actions it takes. For example, it could publicize the corrective actions taken in the wake of breaches, perhaps even de-identifying the names of the organizations. That way, everyone could learn from these events and possibly avoid similar experiences.

Third, OCR should initiate the random compliance audit program, not as an enforcement mechanism, but as a vehicle for gauging HIPAA and HITECH effectiveness overall, as it was originally designed to do.

There are more than 300,000 covered entities that must comply with HIPAA, factoring in business associates, which now also must comply. Unless OCR is going to conduct an incredible number of audits, those who have played the odds previously, betting that the pond was so large they'd never be visited, are likely to continue to do so. In fact, one should ask if this is even an effective use of resources. Enforcement value is minimal, and if the scope of these audits is not expanded to address all types of covered entities, providers, payers, clearinghouses and business associates, they may not even provide a useful indicator of compliance.

Fourth, OCR should enhance its process for analyzing the smaller breaches reported and firm up criteria for when an investigation is warranted. This analysis should address both individual reports as well as the aggregation of reports from a single entity to identify high-risk candidates for audit.

Finally, OCR should promote the adoption of appropriate, clear-cut standards for data security in healthcare. As the organization charged with enforcement, OCR has the unique ability to study the root causes of complaints and breach incidents and then pinpoint shortcomings in HIPAA privacy and security rule requirements.

Thanks to the "safe harbor" provision in the HITECH breach notification rule, there's been a definite increase in the adoption of encryption. That's because the provision makes it crystal clear that breaches involving data that's properly encrypted don't have to be reported.

Clearer security standards and requirements that go far beyond encryption would prove extraordinarily helpful in addressing the general security requirements gap that the inspector general identified in its report.

Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance.

About the Author

McMillan is co-founder and CEO of CynergisTek Inc., a firm specializing in information security and regulatory compliance. He has more than 30 years of federal and private sector experience in managing and delivering information security services and is chair of the HIMSS Privacy and Security Steering Committee.